A while ago, I researched the possibility of using/enabling Netflow on a couple of Cisco 3560G switches we'd purchased. After much head scratching it was deemed you'd need IOS revision 12.2(58)SE to get any form of netflow - and its not even net flow. Hmmmm....
So... out of hours, I upgraded one of the switches to this new firmware to give it a go.
After a nervous wait for it to restart (Logging in remotely from home) I checked to see if the commands are available - which they were.
So off we go:
Create the exporter
flow exporter test-collector
description "collection of data for the boss"
destination 192.168.246.100
This creates an exporter profile in which I can describe what its for and where the data should go.
Then configure smartlog
Conf t
Logging smartlog
logging smartlog exporter test-collector
logging smartlog packet capture size 1024
We then need to give it something to report about. As a test I created an ACL which permits everything:
access-list 97 permit any smartlog
and then assigned it to an inteface
interface GigabitEthernet0/3
description Monitoring port for the boss
ip access-group 97 in
And thats it - pretty easy to setup but to be honest its limitations are immediately visible when using Scrutinizer (or other net/s/flow related applications). I've just shown you a test example of the ACL here - I amended it later to monitor a specific DENY on a particular protocol on a specific port.
This is netflow but with restrictions. The data has to be event based and as such - you can view the data when an event has occurred - hence it has been logged. That in itself limits what you can see.
Don't get me wrong, its far easier than trawling through syslog data and you can drill down into the raw data to at least see some of the packet, but other than assessing security concerns, I'm struggling to see how I'd use it.
In terms of satisfying the original request to view netflow data, I will put the question back to the originator with a politically cryptic hint of sarcasm.... "What netflow data????"
Showing posts with label netflow. Show all posts
Showing posts with label netflow. Show all posts
Monday, 13 August 2012
Thursday, 19 July 2012
Netflow NoGo on a Cisco Catalyst 3560 switch
In our haste to purchase switches for an already over-run project, it would appear we overlooked the product features of the 3560G.
I have been asked to enabled netflow on one of the two switches we use in a production environment, but after much head scratching - the 3560 doesn't support it.
Looking further into it, the whole 3000 series doesn't. Unless you either buy the uplink 10G modules (but then I'm sure it'll only allow you to monitor uplinks) or use a trimmed down version of netflow exporting (appearinging in 12.2(58)SE) from a later revision firmware. Of course, we are a few releases behind that - but I think it might be worth giving it a go anyway to try and satisfy the request.
So, its a netflow no go. For now.
I have been asked to enabled netflow on one of the two switches we use in a production environment, but after much head scratching - the 3560 doesn't support it.
Looking further into it, the whole 3000 series doesn't. Unless you either buy the uplink 10G modules (but then I'm sure it'll only allow you to monitor uplinks) or use a trimmed down version of netflow exporting (appearinging in 12.2(58)SE) from a later revision firmware. Of course, we are a few releases behind that - but I think it might be worth giving it a go anyway to try and satisfy the request.
So, its a netflow no go. For now.
Subscribe to:
Posts (Atom)